[sldev] Re: "But your IP wouldn't be safe"

[Jason Giglio]

Able Whitman wrote:
> A subtle but important point is that the viewer discloses the client IP 
> only to the servers that make up the grid, *not* to other users who are 

People who provide web textures are no longer users, they are content 
providers.

> A user's IP address is protected from other users because, for the most 
> part, all interactions with other avatars takes place via the grid, so 
> there are never direct connections between individual clients. If 
> someone has malicious intents and wishes to directly attack the client 
> of another user, the viewer does not provide the would-be attacker with 
> enough information to do so.

This is a mere coincidence of the design, not a design goal.

Back in 2001 or whenever, I seriously doubt the founders of Linden Lab 
said "Hey, lets make a huge, slow, anonymizing proxy service, where all 
the data flows through our central servers to protect people's IP 
addresses from being discovered."

> And importantly, both avenues can be disabled without serious loss of 
> viewer functionality.

If you expect to use the Internet without exposing your IP to content 
providers, you should expect serious loss of functionality.

> In the case of P2P texture distribution, without explicit controls 

I don't support this silly P2P texture idea.  I'm only talking about 
this in terms of web textures, HTML-on-a-prim, ... pretty much all the 
exciting future features that will prevent Second Life from becoming 
irrelevant.

> Worse, the target user has little ability to opt-out of this avenue of 
> information disclosure, since texture downloads happen automatically. 
> Having the user disable P2P texture acquisition would prevent 
> information disclosure but also prevent the user's viewer from being 
> able to display all of the textures needed to render a scene. This is a 
> significant loss of functionality. 

If you expect to use the Internet without exposing your IP to content 
providers, you should expect serious loss of functionality.

> Of course, not everyone is as sensitive to the disclosure of their IP 
> address as others, but this does not make the issue of information 
> disclosure any less important. Currently the viewer offers reasonable 
> control over this kind of disclosure, and new features should not 
> degrade this control, especially not by default, and especially not in a 
> manner which is not practically reversible.

It should, by default, because there is no way Linden Lab can become 
some huge anonymizing proxy service.  The future viability of Second 
Life as a platform for providing content rests on decentralization. 
Decentralization means third party content that does *not* flow through 
Linden Lab servers, in many cases.

-Jason